From 22c4ccbf30d94298e51c68afd8a5b60a6fc6ce15 Mon Sep 17 00:00:00 2001
From: ysheffer <Yaron_Sheffer@intuit.com>
Date: Thu, 19 Dec 2024 19:51:19 +0200
Subject: [PATCH 1/2] Terribly complex ABNF for WPT

---
 draft-ietf-wimse-s2s-protocol.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/draft-ietf-wimse-s2s-protocol.md b/draft-ietf-wimse-s2s-protocol.md
index 49910c1..8c62a8c 100644
--- a/draft-ietf-wimse-s2s-protocol.md
+++ b/draft-ietf-wimse-s2s-protocol.md
@@ -282,7 +282,8 @@ For those who celebrate, ABNF {{RFC5234}} for the value of `Workload-Identity-To
 ALPHA = %x41-5A / %x61-7A ; A-Z / a-z
 DIGIT = %x30-39 ; 0-9
 base64url = 1*(ALPHA / DIGIT / "-" / "_")
-WIT =  base64url "." base64url "." base64url
+JWT =  base64url "." base64url "." base64url
+WIT =  JWT
 ~~~~
 {: #wit-header-abnf title="Workload-Identity-Token Header Field ABNF"}
 
@@ -310,6 +311,15 @@ This option, inspired by the OAuth DPoP specification {{?RFC9449}}, uses a DPoP-
 the calling workload in the context of the request. The WIMSE Identity Token ({{to-wit}}) is sent in the request as
 described in {{wit-http-header}}. An additional JWT, the Workload Proof Token (WPT), is signed by the private key
 corresponding to the public key in the WIT. The WPT is sent in the `Workload-Proof-Token` header field of the request.
+The ABNF syntax of the `Workload-Proof-Token` header field is:
+
+~~~ abnf
+WIT =  JWT
+~~~~
+{: #wpt-header-abnf title="Workload-Proof-Token Header Field ABNF"}
+
+where the `JWT` projection is defined in {{wit-header-abnf}}.
+
 A WPT contains the following:
 
 * in the JOSE header:

From ba28b19efed81a73dbb3badaea1f1d5753622760 Mon Sep 17 00:00:00 2001
From: ysheffer <Yaron_Sheffer@intuit.com>
Date: Thu, 19 Dec 2024 19:54:28 +0200
Subject: [PATCH 2/2] Oops

---
 draft-ietf-wimse-s2s-protocol.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/draft-ietf-wimse-s2s-protocol.md b/draft-ietf-wimse-s2s-protocol.md
index 8c62a8c..9412dae 100644
--- a/draft-ietf-wimse-s2s-protocol.md
+++ b/draft-ietf-wimse-s2s-protocol.md
@@ -314,7 +314,7 @@ corresponding to the public key in the WIT. The WPT is sent in the `Workload-Pro
 The ABNF syntax of the `Workload-Proof-Token` header field is:
 
 ~~~ abnf
-WIT =  JWT
+WPT =  JWT
 ~~~~
 {: #wpt-header-abnf title="Workload-Proof-Token Header Field ABNF"}